Method and device for improving the robustness with respect to &#34;adversarial examples&#34;

ABSTRACT

A method for generating a manipulated data signal for misleading a first machine learning system, which is designed to ascertain a semantic segmentation of a received one-dimensional or multi-dimensional data signal, the method having the following steps: a) ascertaining a desired semantic segmentation of the manipulated data signal; and b) generating the manipulated signal as a function of the received data signal and the ascertained desired semantic segmentation as well as an estimated semantic segmentation of the manipulated data signal.

CROSS REFERENCE

The present application claims the benefit under 35 U.S.C. § 119 ofGerman Patent Application No. DE 202017102381.8 filed on Apr. 21, 2017,which is expressly incorporated herein by reference in its entirety.

FIELD

The present invention relates to a method for generating a manipulateddata signal, to a method for assessing a robustness of anactuator-control system, and to a method for training anactuator-control system; it also relates to devices which are set up forexecuting these methods.

BACKGROUND INFORMATION

A neural network for a control unit is described in German PatentApplication No. DE 10 2005 050 577 A1. The neural network 1 for acontrol unit is tested. The neural network has a plurality of firstneurons N1, N2, . . . , Nn in a first layer, and a second neuron M in asecond layer following the first layer. Each test-signal combination isselected from a predefined plurality of test-signal combinations. Eachtest-signal combination assigns a test-input-signal vector ut1, ut2, . .. , utk to each first neuron N1, N2, . . . , Nn, which is either a zerosignal or saturates the associated first neuron N1, N2, . . . , Nn insuch a way that the first neuron N1, N2, . . . , Nn outputs a lowersaturation value φmin, or saturates associated first neuron N1, N2, . .. , Nn in such a way that first neuron N1, N2, . . . , Nn outputs anupper saturation value. The test-signal combination is applied to firstneurons N1, N2, . . . , Nn, and output signal p of second neuron M isacquired. A partial test signal is stored when output signal p isgreater than a predefined threshold value. A positive total test signalis output after each of the test-signal combinations has been appliedand when no partial test signal is stored for the predefined pluralityof test-signal combinations.

SUMMARY

The present method makes semantic segmentations ascertained with the aidof machine learning methods particularly robust with respect to what isknown as adversarial examples. Adversarial examples are slightlymanipulated input data (which in the case of image data are so similarto the non-manipulated input data that they are virtuallyindistinguishable by human experts), which may lead to a significantchange in the ascertained semantic segmentation. For example, it wouldbe possible that a malicious attacker uses such an adversarial examplein order to mislead an autonomous robot, for instance by suppressing asemantic segmentation that marks an actually existing river as “river”;this could result in a risk to the autonomous robot that carries out itsroute planning on the basis of this semantic segmentation. Theeffectiveness of such attacks is able to be reduced with the aid of themethod according to the present invention.

Advantageous further developments are described herein.

In a first aspect, the present invention relates to a method forgenerating a manipulated data signal for misleading a first machinelearning system that is set up to ascertain a semantic segmentation of areceived one-dimensional or multi-dimensional data signal, the presentmethod including the following steps:

-   a) Ascertaining the desired semantic segmentation of the manipulated    data signal; and-   b) Generating the manipulated data signal as a function of the    received data signal and the ascertained desired semantic    segmentation as well as an estimated semantic segmentation of the    manipulated data signal.

A semantic segmentation of the data signal normally means that asemantic value from a predefined selection of possible semantic valuesis allocated to sections of the data signal.

If the semantic segmentation of these adversarial examples isascertained with the aid of the first machine learning system, then,depending on the desired semantic segmentation, a clear differenceresults in comparison with the corresponding semantic segmentation ofthe respective unbiased data signal.

The estimated semantic segmentation is able to be ascertained by thefirst machine learning system or by a simulation of the first machinelearning system.

The semantic segmentation is preferably performed in a “pixelwise”manner, i.e., the semantic segmentation has the same dimensionality asthe one-dimensional or multi-dimensional data signal and preferablyallocates a semantic value to each data point in the one-dimensional ormulti-dimensional data signal.

Generating data signals that are manipulated in this manner inparticular makes it possible to improve the robustness of the firstmachine learning system for the semantic segmentation with respect topotential attackers and to assess the robustness in a reliable manner.

In one advantageous further development of the present invention, it maybe provided that the desired semantic segmentation is selected as afunction of an estimated semantic segmentation of the received datasignal.

The desired semantic segmentations are thereby able to be generated withespecially little effort since no actual, “true” semantic segmentationof the data signals of the training dataset is required.

It may additionally be provided in accordance with the present inventionthat the desired semantic values of the desired semantic segmentationare selected as a function of whether the estimated semantic values ofthe estimated semantic segmentation assume a predefinable value.

This allows for a particularly effective simulation of attacks that areintent on suppressing the information of data points whose semanticvalue has a predefinable value.

In this context it may be provided to use a substitute value for thedesired semantic values at a position at which the estimated semanticvalues assume the predefinable value. The substitute value is a valuethat differs from the estimated semantic value.

The substitute value is advantageously the particular estimated semanticvalue at a substitute position close to said position. For instance, thesubstitute position may be the nearest position whose estimated semanticvalue differs from the predefinable value.

According to another aspect of the present invention, it may be the casethat the desired semantic values are selected so as to equal theestimated semantic values if the estimated semantic values do not assumethe predefinable value. In other words, at the positions, and inparticular precisely at the positions at which the estimated semanticvalues do not assume the predefinable value, the desired semantic valuesare selected so as to equal the estimated semantic values.

Each one of the two previously mentioned measures makes it possible tosimulate an attacker who lets the suppressed data points transition intothe semantic segmentation of the background in a particularly harmoniousmanner, and thus carries out an especially well-directed attack.

This may be accomplished in that the generation of the manipulated datasignal is performed using a function value of a cost function of thefirst machine learning system that is assumed by said cost functionamong the data signals manipulated in this manner and for the desiredsemantic segmentations. In other words, in the usual manner, the costfunction has as arguments the output value (the ascertained semanticsegmentation) of the first machine learning system that was ascertainedby the first machine learning system as a function of its input signal(the data signal). Furthermore, in the usual manner, the cost functionhas a desired semantic segmentation (i.e. desired semantic values) as afurther argument. It is now provided to substitute the manipulated datasignal for the data signal as the input signal.

More specifically, the manipulated data signal may be selected from aset of allowed data signals such that it numerically minimizes the costfunction among the data signals manipulated in this manner for thedesired semantic values. For example, such a numerical minimization maybe carried out by an iterative method, the iterative method beingterminated once a predefinable abort criterion (e.g., after apredefinable number of iteration steps) has been reached. It is clear toone skilled in the art that the theoretically achievable minimum willusually be reached merely approximately rather than precisely.

In one flexible further development, it may be the case that the costfunction encompasses two components, one of which characterizes theshare of the particular positions in the cost function whose estimatedsemantic values assume the predefinable value, and the othercharacterizing the share of the particular positions in the costfunction whose estimated semantic values do not assume the predefinablevalue, these two components being weighted relative to each other in apredefinable manner.

This makes it particularly easy to flexibly simulate not only attacksaimed at suppressing information of data points whose semanticsegmentation has a predefinable value in the most efficient mannerpossible (this may be accomplished by high weighting of the firstcomponent) but also to simulate attacks aimed at disturbing the semanticbackground as little as possible in order to be particularly difficultto detect in this manner (this may be accomplished by high weighting ofthe second component).

In a further aspect, the present invention is directed to such datasignals that include a sequence of time slices, e.g., video signals. Itmay now be provided that the desired semantic segmentation of the datasignals of a predefinable time slice be selected as a function of anestimated semantic segmentation of the data signal of a further timeslice, the further time slice temporally preceding the predefinable timeslice. This may advantageously be utilized to simulate an attacker whois intent on hiding a suspicious activity, e.g., from video monitoringusing a static camera.

This may be accomplished in a particularly uncomplicated manner througha fixed selection of the further time slice and by selecting the desiredsemantic segmentation of the data signal for each predefinable timeslice that temporally follows the further time slice so that it equalsthe estimated semantic segmentation of the data signal of the furthertime slice.

In an additional refining aspect, it is provided to use the presentinvention for assessing a robustness of an actuator-control system forthe control of an actuator, which includes a first machine learningsystem designed to ascertain a semantic segmentation of a receivedone-dimensional or multi-dimensional data signal that characterizes astatus of an actuator system including the actuator and an environmentof the actuator. The actuator-control system is designed to ascertain acontrol signal as a function of the ascertained semantic segmentationand to control the actuator as a function of the ascertained controlsignal.

It may then be provided that a manipulated data signal is ascertained asa function of the data signal using one of the aforementioned methods,and that a second control signal is ascertained as a function of anascertained second semantic segmentation, which is ascertained with theaid of the first machine learning system by exchanging the data signalfor the manipulated data signal (i.e. instead of the data signal, themanipulated data signal is supplied to the first machine learningsystem). A decision is then made as a function of the control signal andalso as a function of the second control signal as to whether or not theactuator-control system is robust.

Such a method may particularly also run during the operation of theactuator-control system in order to assess whether the actuator-controlsystem would exhibit a robust behavior in response to a potential attackon a continuous basis or at regular time intervals.

On this basis, an operation of an actuator-control system forcontrolling an actuator is able to be provided, and it is assessed, aspreviously described, whether or not the actuator-control system isrobust, with the actuator-control system controlling the actuator as afunction of the assessment. In particular, the actuator-control systemis able to be transferred into a safe mode in the event that theassessment indicates that the actuator-control system is not robust.

According to one still further aspect, the present invention relates tothe training of an actuator-control system, which in particular includesa first machine learning system, which is designed to ascertain asemantic segmentation of a received one-dimensional or multi-dimensionaldata signal that characterizes the status of an agent system, inparticular an actuator system including an actuator and an environmentof the actuator. Furthermore, the actuator-control system is designed toascertain an output value of a second machine-learning system, whichcharacterizes a probability that the semantic segmentation is false, andin particular, that the data signal is an adversarial example. A controlof the actuator may take place as a function of the ascertained semanticsegmentation, and the control of the actuator may take place accordingto a fault-defense reaction if a decision was made that a fault ispresent. This training method includes the following steps:

-   a) Selecting a subset of data signals from a training set for the    second machine learning system that includes data signals;-   b) Deciding whether or not the data signals of this subset are to be    manipulated;-   c) If a decision was made to manipulate the data signals,    ascertaining manipulated data signals as a function of the    respective data signals with the aid of one of the aforementioned    methods, and substituting the respective ascertained manipulated    data signals for the data signals;-   d) Setting a desired output value to the value of a predefinable    first numerical value when the data signals will not be manipulated,    or setting the desired output value to a second predefinable    numerical value that differs from the first numerical value when the    data signals are manipulated; and-   e) Training the parameters of the second machine learning system    using the (possibly manipulated) subset of observed values and    associated desired output values.

By adapting the manipulation of the data signals to the respective datasignals, this training method makes it possible to avoid anover-adaption of the second machine learning system in a particularlysatisfactory manner.

According to one still further aspect, the present invention relates todevices that include a machine-readable memory medium and a computer.The machine-readable memory medium stores a computer program whichincludes instructions that induce the device to carry out all of thesteps of one of the aforementioned methods when the computer program isrunning on the computer.

Specific embodiments of the present invention are described in greaterdetail below with reference to the figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows schematically, an interaction between the actuator and theactuator-control system.

FIG. 2 shows schematically, an interaction between the training systemand the actuator-control system.

FIG. 3 shows a specific embodiment of a training method.

FIG. 4 shows specific embodiments of the present method for ascertainingthe manipulated data signal.

FIG. 5 shows a specific embodiment of the present method for assessingthe robustness of the actuator-control system.

FIG. 6 shows a specific embodiment of the present method for operatingthe actuator-control system.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

FIG. 1 shows an actuator 10 in its environment 20 in an interaction withan actuator-control system 40. Hereinafter, actuator 10 and environment20 are jointly also referred to as an actuator system. A status of theactuator system is detected by a sensor 30, which may also be providedin the form of a plurality of sensors. An output signal S of sensor 30is transmitted to actuator-control system 40. Actuator-control system 40ascertains a control signal A therefrom, which is received by actuator10.

Actuator 10, for instance, may be a (partially) autonomous robot, e.g.,a (partially) autonomous motor vehicle. Sensor 30, for example, mayinvolve one or more video sensor(s) and/or one or more radar sensor(s),and/or one or more ultrasonic sensor(s), and/or one or more positionsensor(s) (such as GPS).

Alternatively or additionally, sensor 30 may also include an informationsystem which ascertains an item of information pertaining to a status ofthe actuator system such as a weather-information system, whichdetermines a current or future status of the weather in environment 20.

In another exemplary embodiment, actuator 10 may be a production robot,and sensor 30 may then involve an optical sensor, for example, whichdetects characteristics of manufacturing products of the productionrobot.

In another exemplary embodiment, actuator 10 may be a release system,which is designed either to enable or not to enable the activity of adevice. Sensor 30, for instance, may be an optical sensor (e.g., for thedetection of image or video data), which is designed to detect a face.Actuator 10 ascertains a release signal as a function of control signalA, which may be used to enable the device as a function of the value ofthe release signal. For instance, the device may be a physical orlogical access control. Depending on the value of control signal A, theaccess control may then grant or refuse access.

Actuator-control system 40 receives output signal S from the sensor inan optional receive unit 50, which converts output signal S into a datasignal x (alternatively, it is also possible to directly accept outputsignal S as data signal x). Data signal x, for instance, may be asegment or further processing of output signal S. Output signal x isforwarded to a first machine learning system 60 such as a neuralnetwork.

In one preferred exemplary embodiment, which will be described in thefollowing text, data signal x is a two-dimensional image signal whosepixels are characterized by one or three numerical values. However, datasignal x may also be some other one-dimensional or multi-dimensionaldata signal.

First machine learning system 60 uses image signal x in order toascertain an associated semantic segmentation y_cls. In the process, asemantic value is allocated to each section of image signal x. Apixelwise segmentation is performed in the exemplary embodiment, i.e.semantic segmentation y_cls has the same dimension as data signal x.

Semantic segmentation y_cls may characterize probabilities that thispixel will be classified as belonging to a particular semantic class(from a plurality of semantic classes). For each pixel, for example,semantic segmentation y_cls may be a vector-value quantity, whichindicates for each of the semantic classes, with the aid of an allocatednumber in the value interval [0; 1], the likelihood that this pixelshould be allocated to the respective semantic class. Semanticsegmentation y_cls may also be a scalar quantity for each pixel, e.g. anidentifier of the particular semantic class whose above-describedprobability assumes the greatest value.

In addition, actuator-control system 40 includes a second machinelearning system 70, e.g., a neural network. Second machine learningsystem 70 also receives image signal x and ascertains an output valuey_det therefrom, which, for example, may be a number in the value range[0; 1] and may characterize a probability that observation value B wasmanipulated in such a way that semantic segmentation y_cls does notcorrectly characterize image data x.

This is accomplished in the exemplary embodiment by setting up secondmachine learning systems 70 in such a way that output value y_detcharacterizes a likelihood that image signal x is an adversarialexample.

Semantic segmentation y_cls and output value y_det are transmitted to anoutput unit 80, which ascertains control signal A therefrom. Forexample, it is possible that the output unit first checks whether outputvalue y_det is smaller than a predefinable threshold value. If this isthe case, control signal A is ascertained as a function of semanticsegmentation y_cls. This is the normal case. On the other hand, if it isascertained that output value y_det is not smaller than the predefinablethreshold value, then control signal A may be developed in such a waythat it transfers actuator A into a safe mode.

In one specific embodiment, actuator-control system 40 includes acomputer as well as a machine-readable memory medium (not shown) whichstores a computer program that, when executed by the computer, inducesthe computer to execute the described functionalities ofactuator-control system 40. First machine learning system 60 and secondmachine learning system 70 may in particular be implemented as separateor shared computer programs in this instance.

FIG. 2 illustrates the interaction between a training system 90, firstmachine learning system 60, and second machine learning system 70.Training system 90 has a training dataset that includes image signals x.One or more image signal(s) x is/are selected from the training datasetand made available to first machine learning system 60. This may involveindividual image signals x, i.e. those that are also forwarded to firstmachine learning system 60 when actuator-control system 40 isinteracting with actuator 10 and sensor 30. However, it may also involvea batch, i.e. a plurality of such image data x.

Using the image data x it has received, first machine learning system 60ascertains a respective semantic segmentation y_cls. In the same way,second machine learning system 70 ascertains an output value y_det,analogous to FIG. 1. Semantic segmentation y_cls and output value y_detare once again forwarded to training system 90. Training system 90ascertains a parameter-adaptation signal P therefrom, which encodeswhich particular parameters of second machine learning system 70 are tochange their values and in which way. For example, this desiredadaptation is performed by specifying desired values for output valuey_det and back propagation. Training system 90 forwardsparameter-adaptation signal P to an adaptation block 95 for thispurpose, which appropriately adapts the parameters in first machinelearning system 60 and in second machine learning system 70. In thiscase it is possible to adapt only the parameters of first machinelearning system 60 or only the parameters of second machine learningsystem 70.

In one specific embodiment, training system 90 includes a computer and amachine-readable memory medium (not shown), which stores a computerprogram that, when running on a computer, induces the computer toexecute the described functionalities of learning system 90.

FIG. 3 shows in the form of a flow diagram a specific embodiment of amethod for training the parameters of second machine learning system 70with the aid of training system 90.

In this instance, the parameters of first machine learning system 60 arefrozen, and the parameters of second machine learning system 70 aretrained.

To begin with (1110), for each image signal x that was forwarded tofirst machine learning system 60 in the first training phase, a decisionis made as to whether or not it will be manipulated. For instance, thismay be carried out randomly using a predefinable probability, e.g., 50%.

Next (1120), the desired second output values y_det of image signals xthat are to be manipulated are set to the value “1” and otherwise theyare set to the value “0”.

In the following step 1130, the respective manipulated form x^(adv) isascertained for image signals x that are to be manipulated. The methodfor generating manipulated image signals x^(adv) is illustrated in FIG.4.

Then (1140), image signals x that are to be manipulated are replaced bytheir ascertained manipulated form x^(adv).

In the next step 1150, the trained parameters of first machine learningsystem 60 are frozen, and the parameters of second machine learningsystem 70 are trained.

The training of the parameters is performed with the aid of describedcost function J_(det) of second machine learning system 70 and backpropagation.

This concludes second phase 1100.

FIG. 4 shows methods for generating manipulated image signals x^(adv),in the form of flow diagrams. FIG. 4a illustrates a first method of thistype.

In a first step 2000, image signal x for which manipulated image signalx^(adv) is to be generated is made available.

This is followed by step 2010, in which the associated semanticsegmentation y_cls is ascertained with the aid of first machine learningsystem 60 (an equivalent system may be used instead of first machinelearning system 60). Hereinafter, this semantic segmentation y_cls isalso denoted by the symbol f_(θ)(x), with θ denoting the parameters ofthe first machine learning system 60 and f denoting the mapping rulethat machine learning system 60 executes. For each point (i,j) asemantic value y^(pred) _(ij)=f_(θ)(x)_(ij) is therefore estimated. Theassociated estimated semantic segmentation is also denoted by symboly^(pred).

In step 2020, a predefined class o is defined, i.e. o being apredefinable value, which corresponds to one of the permissible semanticvalues. Now, a foreground set I_(o) is defined as the set of all thepoints (i,j) of image signal x whose associated estimated semanticvalues y^(pred) _(ij) assume said predefinable value _(o). Furthermore,a background set I_(bg) is ascertained, which includes all of theparticular points whose associated estimated semantic values y^(pred)_(i,j) do not assume this predefinable value o. The combination offoreground set I_(o) and background set I_(bg) is also referred to astotal set I.

In step 2030, a desired semantic segmentation y^(target), whoseassociated semantic values y^(target) _(ij) is [sic; are] selected so asto equal the corresponding estimated semantic value y^(target) _(ij) foreach point (i,j) contained in background set I_(bg), is ascertained forimage signal x. In addition, a substitute value is ascertained for eachpoint (i,j) contained in foreground set I_(o). For this purpose, asubstitute position (i′,j′) is first ascertained in image signal x, i.e.with the aid of

$i^{\prime},{j^{\prime} = {{\underset{i^{\prime},j^{\prime},{\in I_{bg}}}{\arg \; \min}\left( {i^{\prime} - i} \right)^{2}} + {\left( {j^{\prime} - j} \right)^{2}.}}}$

The semantic value at this substitute location (i,j′) is then selectedas the substitute value. It is selected for the point (i,j) in thedesired semantic segmentation y^(target), i.e. y^(target) _(ij)=y^(pred)_(i′j′).

In one alternative specific development, the method runs throughalternative steps 2001, 2011, 2021 and 2031 rather than steps 2000,2010, 2020 and 2030. This alternative specific embodiment may be used inthe case of image signals x that are made up of a plurality of timeslices t, such as video signals, i.e. for each time slice t, imagesignal x includes an image signal x_(t) that is allocated to this timeslice.

The alternative specific embodiment begins in step 2001, in which imagesignal x_(t) to be manipulated is made available for a specific timeslice t.

Then (2011), a further time slice t0 is predefined, and image signalx_(t0) belonging to this time slice t0 is made available. The semanticsegmentation y^(pred) _(t0) associated with this image signal x_(t0) isascertained as y^(pred) _(t0)=f_(θ)(x_(t0)), analogous to step 2010.

In the event that time slice t is associated with a later instant thanfurther time slice t0, the desired semantic segmentation y^(target)_(t)=y^(pred) _(t0) will be set in step 2021.

In the event that time slice t is not associated with an instant laterthan further time slice t0, the desired semantic segmentation y^(target)_(t) will be ascertained in step 2031, analogous to steps 2000 to 2030,and instead of image signal x, image signal x_(t) associated withexamined time slice t will be utilized in the steps.

Now (2040), a data signal disturbance ζ⁽⁰⁾ with the dimension of imagesignal x is initialized with ζ⁽⁰⁾=0. A counter n is adjusted to thevalue n=0.

Next (2050), the quantity

grad_(x)(ζ^((n)))=∇_(x) J _(ss) ^(ω)(f _(θ)(x+ζ ^((n))),γ^(target))

is calculated.

Quantity J^(ω) _(ss) denotes a weighted cost function of first machinelearning system (60) according to

${J_{ss}^{\omega}\left( {{f_{\theta}(x)},y^{target}} \right)} = {\frac{1}{I}\left\{ {{\omega {\sum\limits_{{({i,j})} \in I_{o}}{J_{cls}\left( {{f_{\theta}(x)}_{ij},y_{ij}^{target}} \right)}}} + {\left( {1 - \omega} \right){\sum\limits_{{({i,j})} \in I_{bg}}{J_{cls}\left( {{f_{\theta}(x)}_{ij},y_{ij}^{target}} \right)}}}} \right\}}$

Here, J_(cls) is a cost function of first machine learning system 60,e.g. a cross entropy.

Quantity ω is a predefinable quantity able to be specified in the valuerange [0; 1], e.g., to the value 0.5.

Then (2060), a next iteration of data-signal disturbance ζ^((n+1)) iscalculated according to the following formula

ζ^((n+1))=Clip_(ε){ζ^((n))−α sgn(grad_(x)(ζ^((n)))}

Here, the function Clip_(ε)(x) normalizes values of a variable x to an εsphere around the origin. The norm may be an L² norm or also an L^(∞)norm. α is specified as a predefinable value such as α=0.25. The valueof variable n is incremented by 1.

Next (2070), it is checked whether a convergence criterion is satisfied.For example, it may be checked whether n has exceeded a predefinablelimit value nmax, e.g., nmax=10. If this is not the case, then it isbranched back to step 2050. In the other case, manipulated image signalx^(adv) is ascertained as a function of data-signal disturbance ζ^((n))and image signal x as x^(adv)=x+ζ^((n)) in step 2080. This concludesthis method.

Using a flow diagram, FIG. 5 illustrates an exemplary embodiment of thepresent method for assessing the robustness of actuator-control system40. In a first step 4000, a data signal x is received. Next (4010),actuator-control system 40 ascertains an associated control signal Atherefrom for the control of actuator 10. Then (4020), using one of themethods illustrated in FIG. 4, a manipulated data signal x^(adv) isascertained from data signal x. This manipulated data signal x^(adv) isalso forwarded to first machine learning system 60, and a secondsemantic segmentation y_cls^(adv) is ascertained. Analogous to theascertainment of control signal A, a second control signal A^(adv) isdetermined from the ascertained second semantic segmentationy_cls^(adv). Next (4030), the difference between control signal A andsecond control signal A^(adv) is ascertained and it is checked (4040)whether the amount of this difference exceeds a predefinable limitvalue. If this is the case (4050), a decision is made thatactuator-control system 40 is not robust, whereas otherwise (4060), adecision is made that actuator-control system 40 is robust. Thisconcludes the method. The present method may be implemented in the formof a computer program, be stored on the memory medium ofactuator-control system 40, or be executed thereby. The computer programis also able to be stored on a generic computer, which is able to belinked to actuator-control system 40, and be executed thereby.

FIG. 6 shows an exemplary embodiment of the present method for operatingthe actuator-control system in the form of a flow diagram. In a firststep 5000, using the method illustrated in FIG. 5, it is ascertainedwhether or not actuator-control system 40 is robust. In step 5010, it isthen checked whether a decision was made that actuator-control system 40is robust. If this is the case (5020), actuator-control system 40 isoperated in a normal manner, and actuator 10 is controlled normally. Ifthis is not the case (5030), actuator-control system 40 is transferredinto a safe mode, for instance in that it can be provided that anabsolute amount of control signal A is restricted to values below acriticality limit. This concludes the present method. The present methodmay be implemented as a computer program, be stored on the memory mediumof actuator-control system 40, or be executed thereby.

1-15. (canceled)
 16. A method for generating a manipulated data signalfor misleading a first machine learning system, which is designed toascertain a semantic segmentation of a received one-dimensional ormulti-dimensional data signal, the method comprising: a) ascertaining adesired semantic segmentation of the manipulated data signal; and b)generating the manipulated signal as a function of the received datasignal, the ascertained desired semantic segmentation, and an estimatedsemantic segmentation of the manipulated data signal.
 17. A method forassessing a robustness of a machine learning system, which is designedto ascertain a semantic segmentation of a received one-dimensional ormulti-dimensional data signal, in particular from a sensor, the methodcomprising: ascertaining a manipulated data signal as a function of thereceived data signal, including a) ascertaining a desired semanticsegmentation of the manipulated data signal, and b) generating themanipulated data signal as a function of the received data signal, theascertained desired semantic segmentation, and an estimated semanticsegmentation of the manipulated data signal; and ascertaining, dependingon the received data signal and the manipulated data signal, whether ornot the machine learning system is robust.
 18. The method as recited inclaim 17, wherein the step of ascertaining whether or not the machinelearning system is robust includes ascertaining a difference between thereceived data signal and the manipulated data signal and subsequentlychecking whether or not an amount of the difference exceeds a predefinedlimit value.
 19. A method for training a machine learning system, whichis designed to ascertain a semantic segmentation of a receivedone-dimensional or multi-dimensional data signal, in particular from asensor, the method comprising: a) selecting a subset of data signalsfrom a training set for the machine learning system that includes datasignals; b) for each data signal of the subset, deciding whether or notthe data signal of the subset is to be manipulated; c) for eachrespective data signal of the subset for which it is decided in step b)is to be manipulated: ascertaining a respective manipulated data signal,the ascertaining including i) ascertaining a desired semanticsegmentation of the respective manipulated data signal, and ii)generating the respective manipulated signal as a function of therespective data signal, the ascertained desired semantic segmentation,and an estimated semantic segmentation of the manipulated data signal,and substituting the ascertained manipulated data signal for therespective data signal; d) for each respective data signal of the subsetfor which it is decided in step b) is not to be manipulated, setting arespective desired output value to a value of a predefinable firstnumerical value, and for each respective data signal of the subset forwhich it decided in step b) is to be manipulated, setting the value ofthe respective desired output value to a second predefinable numericalvalue that differs from the predefinable first numerical value; and e)training parameters of the machine learning system using the ascertainedmanipulated data signals, the respective data signal of the subset forwhich it is decided in step b) is not to be manipulated, and therespective desired output values.
 20. The method as recited in claim 16,wherein the desired semantic segmentation is selected as a function ofthe estimated semantic segmentation of the received data signal.
 21. Themethod as recited in claim 20, wherein desired semantic values of thedesired semantic segmentation are selected as a function of whetherestimated semantic values of the estimated semantic segmentation assumea predefinable value.
 22. The method as recited in claim 21, wherein asubstitute value is substituted for the desired semantic values at aposition at which the estimated semantic values assume the predefinablevalue.
 23. The method as recited in claim 22, wherein the substitutevalue is the estimated semantic value of a substitute position close tothe position.
 24. The method as recited in claim 23, wherein the desiredsemantic values are selected so as to equal the estimated semanticvalues when the estimated semantic values do not assume the predefinablevalue.
 25. The method as recited in claim 21, wherein the generation ofmanipulated data signals takes place as a function of a function valueof a weighted cost function of the first machine learning system whichthe cost function assumes for the manipulated data signal and for thedesired semantic segmentation.
 26. The method as recited in claim 25,wherein each of the ascertained manipulated data signal is selected froma quantity of allowed data signals in such a way that it numericallyminimizes the cost function for the desired semantic values.
 27. Themethod as recited in claim 26, wherein the cost function encompasses twocomponents, one of the two components characterizes a share of positionsin the cost function whose estimated semantic values assume thepredefinable value, and the other of the two components characterizes ashare of the positions in the cost function whose estimated semanticvalues do not assume the predefinable value, and the two components areweighted relative to each other in a predefinable manner.
 28. The methodas recited in claim 16, wherein the received data signal includes asequence of time slices, and the desired semantic segmentation of thereceived data signal of a predefinable time slice is selected as afunction of an estimated semantic segmentation of the received datasignal of a further time slice, and the further time slice liestemporally before the predefinable time slice.
 29. The method as recitedin claim 28, wherein the further time slice is fixedly selected, and foreach predefinable time slice that lies temporally after the further timeslice, the desired semantic segmentation of the data signal is selectedso as to equal the estimated semantic segmentation of the received datasignal of the further time slice.
 30. The method as recited in claim 16,wherein the first machine learning system is a neural network.
 31. Themethod as recited in claim 17, wherein the first machine learning systemis a neural network.
 32. The method as recited in claim 19, wherein themachine learning system is a neural network.